Personal Liability, Security Becomes Bigger Issues for CISOs

Source: Arndale via Shutterstock

Chuck Norton had only been on the job as the chief information security officer at Western Michigan University for a few months when a jury found another CISO — of ride-hailing app Uber — guilty of covering up a compromise.

Norton was concerned about the potential to be held criminally liable for a breach — or the response to a compromise — and sought to make legal protections part of his contract. While he received verbal assurances, he realized that those promises would not be in writing.

"I didn't have any protections at all, and it was a huge concern, particularly because I was stuck at the confluence of being accountable for everything and having authority over nothing," says Norton, who left his role in April and is now a senior technical security advisor for cyber insurer Resilience. "There's a modicum of trust that senior leadership gives to the CISO to say, 'We are trusting you to make all the right decisions.' That's great, but on the other hand it very much felt like the sword of Damocles was hanging over my head, just waiting to drop."

Norton is not alone. As CISOs' roles expand, the risks they face grow as well. In addition to responsibility for their organizations' cybersecurity posture and incident response, CISOs are often responsible for compliance, cyber resilience efforts, and their company's approach to deploying artificial intelligence.

Related:Black Hat NOC Expands AI Implementation Across Security Operations

Yet the increase in responsibilities does not always come with an increase in support or budget: The 2023 conviction of former Uber CISO Joseph Sullivan, which is currently under appeal, and the Securities and Exchange Commission (SEC) charging SolarWinds and its CISO with "fraud and internal control failures" the same year caused many companies and CISOs to reevaluate their legal protections.

More Risk for CISOs, Same Risks for Businesses

It would be great if the concerns led to better cybersecurity and more resilience for companies, but that has not happened, says Marshall Erwin, CISO at Fastly, a cloud-services and content-delivery provider.

"Instead, what we've seen is a response that largely seeks to address liability concerns by doing things such as providing liability insurance related to security for critical security leaders, as well as sort of modifying SEC disclosure documents, things like that," he says. "Those are not necessarily bad things, but they're not actually ... improving a company's security posture in a meaningful way, which I think should be the actual intent of a liability regime."

Overall, 93% of organizations have made policy changes over the past 12 months to address CISOs' personal liability concerns, but the changes do not always impact security: Thirty-eight percent of companies increased scrutiny of documents filed with the SEC, and 38% pledged to provide more legal protections for cybersecurity staff, according to survey data published by Fastly in March.

Related:MacOS Under Attack: How Organizations Can Counter Rising Threats

Cyberattackers are all too aware of CISOs' concerns. Last year, a hacker claimed to have the data on 31 million customers of Indian insurance firm Star Health and Allied Insurance and, worse, alleged that the company's CISO sold him the data. An investigation cleared the CISO a month later, but the incident marked the latest personal and professional threat targeting CISOs.

Other cases have resulted in significant legal jeopardy for the affected companies, even when they've successfully defended themselves. In 2024, for example, a judge dismissed much of the SEC's case against SolarWinds, and the agency settled with the company last month. (SolarWinds also announced it was going private in February, removing the firm from SEC jurisdiction.)

Are More Personal Threats in the Future?

CISOs, like other C-suite executives, face personal safety threats. Those in the public eye will likely face deepfake attacks, which are often aimed at getting employees and co-workers to give up information or access to systems.

Related:Male-Dominated Cyber Industry Still Holds Space for Women With Resilience

A potential breach of his personal life caused Caleb Sima — the former chief security officer of trading platform Robinhood and now founding general partner at Whiterabbit Ventures, an early-stage cybersecurity investment firm — to assess his and his family's online safety and work to lock down their private details.

As attackers focus increasingly on detail-oriented attacks, which can also fuel schemes founded on deepfakes, every cybersecurity executive should spend some time assessing their risk, Sima says. 

"Attackers use social media for detailed [open source intelligence] — travel patterns, family details, business relationships," he says. "I've seen cases where attackers timed phishing campaigns around executive travel posts."

Sima notes that his family's risk is also elevated because his wife is a chef influencer and her show features family members. Other cybersecurity executives should gauge all the factors that might affect their safety — not just personal but professional as well. The CISO of an online shopping site, for example, might be less of a target than the CISO of a financial trading firm, he says.

"Balancing the risk, spend, and time on executive protection programs should be assessed based on the role and company context," Sima says.

Focus on Security, Not Liability

CISOs should focus on presenting other executives and the board with a clear picture of the organization's risk and a plan for how resources are being deployed to minimize that risk, says Fastly's Erwin. Because some companies have addressed the liability side of the equation, but not the security side, many companies' responses may skew toward liability mitigation, he says.

"The pressure on this seems to have backed off a little bit in a way that I think CISOs are a little less scared today than I feel like they were a year ago," Erwin says. "But I don't think of that as progress. I think the idea of accountability is that we want to incentivize stronger security, and just because security leaders aren't necessarily going to face as much immediate liability pressure doesn't mean that they are more properly incentivized to strengthen their company's security program."

For Resilience's Norton, if he takes a CISO position in the future, he will be looking for a specific culture — and specific contract language, he says.

"I will be a lot more picky and a lot more thoughtful and mindful about the culture of an organization that I consider," he says. "To me, the culture component is so much more important than the technical controls because where there's a will, there's a way, and if there's not a will, it doesn't matter what controls you have or need to put in place. It's just not going to get done."